Kali Linux NetHunter内核编译指南

近年来随着各种HVV活动的兴起,各种新的概念层出不穷。其中就有近源渗透这个概念。
黑客行走江湖,哪儿能没有些趁手的兵器装备呢? 相信很多人都曾梦想过拥有一台黑客专属手机,走到哪儿黑到哪儿。那么现实中这样的手机存在吗?答案是肯定的!NetHunter就能满足你所有的需求!
Kali Linux NetHunter是由Offensive-Security团队打造的基于Android平台的渗透测试环境。
通过使用Kali Linux NetHunter我们可以使用诸如外接无线网卡破解WiFi,模拟BadUSB设备进行HID攻击,外接USB蓝牙适配器进行蓝牙攻击……等各种近源渗透活动。
Kali Linux NetHunter官网我们可以查阅官方支持的设备型号列表。

如果你会玩安卓刷机且手机型号恰好被官方支持,那么直接按照官方教程一步步来就好。
如果很不幸你的手机不被官方所支持但你会玩Linux且懂一些安卓开发以及C语言方面的知识想给自己的手机适配NetHunter,那么本篇教程就带你如何给一台不被官方支持的手机适配Kali NetHunter。

· 一台能解锁BootLoader且内核源码开源的安卓手机
· 一台高性能x86_64 PC

一般来说,手机厂商开源的内核源码代码质量参差不齐(一言难尽),如果我们要选择自己适配NetHunter的话最好选择知名第三方开发者Fork的源码进行编译。
比较知名的有: · LineageOS
· PixelExperience
· crDroid
· MoKee
· Havoc-OS
· Arter97
…等,这里不再一一列举。

对于较老版本的内核(3.18.x以下)的一般是使用Google GCC4.9
对于较新版本的内核(4.4.x以上)的建议使用Clang来编译
对于Google gcc编译器,使用以下命令下载
64位:

1
git clone https://mirrors.bfsu.edu.cn/git/AOSP/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9 -b android-10.0.0_r32 --depth=1

32位:

1
git clone https://mirrors.bfsu.edu.cn/git/AOSP/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9 -b android-10.0.0_r32 --depth=1

对于Clang编译器,使用以下命令下载
Google官方Clang:

1
git clone https://mirrors.bfsu.edu.cn/git/AOSP/platform/prebuilts/clang/host/linux-x86 --depth=1

Proton-clang:

1
git clone https://github.com/kdrag0n/proton-clang.git --depth=1

对于已经开源内核源码的手机来说,一般只需要在GitHub上搜索关键字就能找到适合你的内核源码
一般搜索的关键字为android_kernel_<设备厂商名>_<设备CPU代号名>
或者kernel_<设备厂商名>_<设备CPU代号>
又或者kernel_<设备厂商名>_<设备代号> 举个例子来说,我的设备是小米Redmi 4X,设备厂商是xiaomi,CPU代号是MSM8937,设备代号是santoni那么就可以在GitHub上搜索关键字android_kernel_xiaomi_msm8937或者kernel_xiaomi_santoni或者kernel_xiaomi_msm8937来找对应设备的内核源码。
这里还要注意的一点是所选取的内核源码尽量要与当前手机所使用的ROM Android版本对应,比如如果手机所使用的ROM是LineageOS的那就去找LineageOS所对应的内核源码,且分支也要一一对应。
当然你也可以选择在XDA论坛寻找其他第三方优秀作者提供的内核源码。

我这里使用VMware虚拟机安装Kali Linux系统来进行演示

Kali Linux最新镜像 下载链接

VMware Workstation Pro虚拟机 下载链接

ADB-FASTBOOT工具 for Linux 下载链接

1
echo "deb https://mirrors.bfsu.edu.cn/kali kali-rolling main non-free contrib" > /etc/apt/sources.list
1
apt update && apt upgrade -y && apt full-upgrade -y && reboot
1
2
3
4
5
6
7
apt install -y curl wget vim git ccache automake flex lzop bison gperf \
build-essential zip zlib1g-dev g++-multilib libxml2-utils bzip2 libbz2-dev \
libbz2-1.0 libghc-bzlib-dev squashfs-tools pngcrush schedtool dpkg-dev \
liblz4-tool make optipng maven libssl-dev pwgen libswitch-perl \
policycoreutils minicom libxml-sax-base-perl libxml-simple-perl bc \
libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev \
libgl1-mesa-dev xsltproc unzip device-tree-compiler kmod python3 python3-pip
1
git clone https://github.com/kdrag0n/proton-clang.git /root/proton-clang --depth=1
1
2
git clone https://github.com/crdroidandroid/android_kernel_xiaomi_msm8937.git
cd android_kernel_xiaomi_msm8937
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
export ARCH=arm64
export SUBARCH=arm64
export KBUILD_BUILD_HOST=kali
export KBUILD_BUILD_USER=root
export LOCALVERSION=-NetHunter
export PATH="/root/proton-clang/bin:$PATH"
mkdir out
args="-j$(nproc --all) \
ARCH=arm64 \
SUBARCH=arm64 \
O=out \
CC=clang \
CROSS_COMPILE=aarch64-linux-gnu- \
CROSS_COMPILE_ARM32=arm-linux-gnueabi- \
CLANG_TRIPLE=aarch64-linux-gnu- \
AR=llvm-ar \
NM=llvm-nm \
OBJCOPY=llvm-objcopy \
OBJDUMP=llvm-objdump \
STRIP=llvm-strip "

这里根据你的内核版本选择对应内核版本的补丁(patches)
我这里内核是4.9所以选择4.9内核的补丁

1
2
3
git clone https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-kernel.git
patch -p1 < kali-nethunter-kernel/patches/4.09/add-wifi-injection-4.14.patch
patch -p1 < kali-nethunter-kernel/patches/4.09/fix-ath9k-naming-conflict.patch
1
2
make ${args} mrproper
make ${args} santoni_treble_defconfig

以下内容不同版本内核可能会有所不同,以实际情况为准!

1
make ${args} menuconfig

menuconfig
menuconfig

1
2
3
4
5
6
7
首先进入"Gerenal Setup"  
选择到"Local version - append to kernel release"  
清空里面所有内容  
然后取消勾选"Automatically append version information to the version string"  
接着选中"Default hostname",输入"kali"  
接着勾选"System V IPC"  
然后返回上一级菜单  

如图所示

general
general

1
2
3
4
5
6
7
8
接着进入到"Enable loadable module support"  
勾选以下几个选项:  
"loadable module support"  
"Forced module loading"  
"Modules unloading"  
"Forced module unloading"  
"Module versioning support"  
然后返回上一级菜单

如图所示

module
module

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
接着进入到"Networking support" -> "Bluetooth subsystem support" -> "Bluetooth drivers support"  
勾选以下几个选项:  
"HCI USB driver"  
"Broadcom protocol support"  
"Realtek protocol support"  
"HCI UART driver"  
"HCI BCM203x USB driver"  
"HCI BPA10x USB driver"  
"HCI BlueFRITZ! USB driver"  
然后返回上一级菜单

如图所示

bluetooth-driver
bluetooth-driver

1
2
3
4
5
6
7
8
勾选以下几个选项:  
"Bluetooth Classic (BR/EDR) features"  
"RFCOMM protocol support"  
"RFCOMM TTY support"  
"BNEP protocol support"  
"HIDP protocol support"  
"Bluetooth Low Energy (LE) features"  
然后返回上一级菜单  

如图所示

bluetooth
bluetooth

1
2
3
4
5
6
7
进入到"Wireless"  勾选以下几个选项:  
"nl80211 testmode command"  
"use statically compiled regulatory rules database"  
"cfg80211 wireless extensions compatibility"  
"Generic IEEE 802.11 Networking Stack (mac80211)"  
"Enable mac80211 mesh networking (pre-802.11s) support"  
然后返回上一级菜单

如图所示

wireless
wireless

1
2
3
4
5
6
7
接着进入到"Device Drivers" -> "Network device support" -> "USB Network Adapters"  
勾选以下几个选项:  
"USB RTL8150 based ethernet device support"  
"Realtek RTL8152/RTL8153 Based USB Ethernet Adapters"  
"ASIX AX88xxx Based USB 2.0 Ethernet Adapters"  
"ASIX AX88179/178A USB 3.0/2.0 to Gigabit Ethernet". 
然后返回上一级菜单

如图所示

usb_net
usb_net

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
接着进入到"Wireless LAN"  
勾选以下几个选项:  
"Atheros/Qualcomm devices"  
"Atheros HTC based wireless cards support"  
"Linux Community AR9170 802.11n USB support"  
"Atheros mobile chipsets support"  
"Atheros ath6kl USB support"  
"MediaTek devices"  
"MediaTek MT7601U (USB) support"  
"Ralink devices"  
"Ralink driver support"  
"Realtek devices"  
"Realtek 8187 and 8187B USB support"  
"Realtek rtlwifi family of devices"  
"RTL8723AU/RTL8188[CR]U/RTL819[12]CU (mac80211) support"  
"Include support for untested Realtek 8xxx USB devices (EXPERIMENTAL)"  
"ZyDAS devices"  
"USB ZD1201 based Wireless device support"  
"ZyDAS ZD1211/ZD1211B USB-wireless support"  
"Wireless RNDIS USB support"  

"Ralink driver support"中勾选以下几个选项:  
"Ralink rt2500 (USB) support"  
"Ralink rt2501/rt73 (USB) support"  
"Ralink rt27xx/rt28xx/rt30xx (USB) support"  
"rt2800usb - Include support for rt33xx devices"  
"rt2800usb - Include support for rt35xx devices (EXPERIMENTAL)"  
"rt2800usb - Include support for rt3573 devices (EXPERIMENTAL)"  
"rt2800usb - Include support for rt53xx devices (EXPERIMENTAL)"  
"rt2800usb - Include support for rt55xx devices (EXPERIMENTAL)"  
"rt2800usb - Include support for unknown (USB) devices"  

"Realtek rtlwifi family of devices" 中勾选
"Realtek RTL8192CU/RTL8188CU USB Wireless Network Adapter"  
然后返回主菜单

如图所示

Atheros
Atheros

MediaTek
MediaTek

Ralink
Ralink

Realtek
Realtek

ZyDAS
ZyDAS

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
进入到"Device Drivers" -> "Multimedia support" 勾选:  
"Digital TV support"  
"Software defined radio support"  
"Media USB Adapters"  

"Media USB Adapters"中 勾选:  
"Airspy"  
"HackRF"  
"Mirics MSi 2500"  
然后拉到最下面,取消勾选  "Autoselect ancillary drivers (tuners, sensors, i2c, spi, frontends)"  
取消勾选 "I2C Encoders, decoders, sensors and other helper chips" 内所有选项  
取消勾选 "Customize TV tuners" 内除了 "Rafael Micro R820T silicon tuner" 以外所有选项  
"Customise DVB Frontends" 内取消勾选除了:  
"Realtek RTL2830 DVB-T"  
"Realtek RTL2832 DVB-T"  
"Realtek RTL2832 SDR"  
以外所有的选项  
然后返回主菜单

如图所示

Multimedia_support
Multimedia_support

Media_usb
Media_usb

unselect
unselect

I2C_EN
I2C_EN

Custom_TV
Custom_TV

Custom_DVB
Custom_DVB

1
2
3
4
5
6
7
进入到"Device Drivers" -> "HID support" 勾选:  
"Battery level reporting for HID devices"  
"/dev/hidraw raw HID device support"  
"User-space I/O driver support for HID subsystem"  
"Generic HID driver"  
勾选"Special HID drivers"  "USB HID support"  "HID over I2C transport layer"  内所有选项
然后返回上一级菜单

如图所示

HID_support
HID_support

Special_HID
Special_HID

USB_HID
USB_HID

I2C_HID
I2C_HID

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
接着进入到"Device Drivers" -> "USB support"  勾选:  
"Support for Host-side USB"  
"OTG support"  
"USB Modem (CDC ACM) support"  
"USB Wireless Device Management support"  
"USB Mass Storage support"  
"USB Serial Converter support"  

"USB Serial Converter support" 中勾选:  
"USB Serial Console device support"  
"USB Generic Serial Drive"  
"USB Serial Simple Drive"  
"USB Winchiphead CH341 Single Port Serial Driver"  
"USB CP210x family of UART Bridge Controllers"  
"USB FTDI Single Port Serial Driver"  
"USB Prolific 2303 Single Port Serial Driver"  

"USB Gadget Support"中勾选:  
"USB functions configurable through configfs"  
"Generic serial bulk in/out"  
"Abstract Control Model (CDC ACM)"  
"Object Exchange Model (CDC OBEX)"  
"Network Control Model (CDC NCM)"  
"Ethernet Control Model (CDC ECM)"  
"Ethernet Control Model (CDC ECM) subset"  
"QCRNDIS"  
"RNDIS"  
"RMNET_BAM"  
"Ethernet Emulation Model (EEM)"  
"Mass storage"  
"Function filesystem (FunctionFS)"  
"MTP gadget"  
"PTP gadget"  
"Accessory gadget"  
"Audio Source gadget"  
"Uevent notification of Gadget state"  
"MIDI function"  
"HID function"  
"USB Diag function"  
"USB Serial Character function"  
"USB CCID function"  
"USB QDSS function"  
接着返回主菜单,退出并保存配置

如图所示

USB_support
USB_support

USB_Serial
USB_Serial

USB_Gadget
USB_Gadget

1
make ${args} savedefconfig
1
make ${args} 2>&1 | tee kernel.log
1
make ${args} INSTALL_MOD_PATH="." INSTALL_MOD_STRIP=1 modules_install
1
git clone https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project /root/kali-nethunter-project --depth=1
1
2
3
mkdir -p /root/kali-nethunter-project/nethunter-installer/devices/  
touch /root/kali-nethunter-project/nethunter-installer/devices/devices.cfg  
vim /root/kali-nethunter-project/nethunter-installer/devices/devices.cfg  

按照官方教程,添加以下内容并保存

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Xiaomi Redmi4X for crDroid Android 11  
[santoni]  
author = "DroidKali"  
arch = arm64  
version = "v1.0"  
flasher = anykernel  
modules = 1  
slot_device = 0  
block = /dev/block/bootdevice/by-name/boot  
devicenames = santoni,Redmi4x  
1
mkdir -p /root/kali-nethunter-project/nethunter-installer/devices/eleven/santoni/modules/system/lib/modules  
1
2
3
4
cp out/arch/arm64/boot/Image.gz-dtb /root/kali-nethunter-project/nethunter-installer/devices/eleven/santoni  
rm -rf out/lib/modules/${make kernelversion}-NetHunter/source  
rm -rf out/lib/modules/${make kernelversion}-NetHunter/build  
cp -r out/lib/modules/${make kernelversion}-NetHunter /root/kali-nethunter-project/nethunter-installer/devices/eleven/santoni/modules/system/lib/modules/  
1
2
cd /root/kali-nethunter-project/nethunter-installer/  
python3 build.py -d santoni --eleven --kernel
1
2
3
4
5
wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip
unzip paltform-tools-latest-linux.zip -d /usr/share/
echo '''export PATH="/usr/share/platform-tools:$PATH"''' > /root/.zshrc
source /root/.zshrc
rm -rf platform-tools-latest-linux.zip
1
adb reboot recovery
1
adb sideload kernel-nethunter-eleven-santoni-20210905_111235.zip

Kali NetHunter | Kali Linux Documentation

NetHunter gitlab repository

“黑客手机"免费送-知乎专栏

跟我把Kali NetHunter编译至任意手机

Building a Kernel for the Razor Phone 2 - Live feed

Information on Compiling Android Kernels with Clang

[内核向] - 交叉编译器的选择